__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Buffer Overrun in Microsoft Data Access Components (MDAC) [Microsoft Security Bulletin MS02-065] November 21, 2002 00:00 GMT Number N-016 ______________________________________________________________________________ PROBLEM: There is a buffer overrun vulnerability in Microsoft Data Access Components (MDAC) Data Stub that affects web servers and clients. PLATFORM: * All Windows systems that run MDAC versions prior to 2.7 including, * Microsoft Internet Explorer 5.01 * Microsoft Internet Explorer 5.5 * Microsoft Internet Explorer 6.0 DAMAGE: It is possible by exploiting this vulnerability an attacker can run code of choice on a user's system, up to and including administrator privileges. SOLUTION: Apply patches or workarounds as described in Microsoft's bulletin. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. MDAC is commonly is included by default in ASSESSMENT: many versions of Windows. A remote user can gain administrator privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-016.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/ default.asp?url=/technet/security/bulletin/ ms02-065.asp ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS02-065 *****] Microsoft Security Bulletin MS02-065 Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414) Originally posted: November 20, 2002 Summary Who should read this bulletin: Customers using Microsoft® Windows®, particularly those who operate web sites or browse the Internet. Impact of vulnerability: Run code of attacker’s choice Maximum Severity Rating: Critical Recommendation: Users should apply the patch immediately. Affected Software: * Microsoft Data Access Components (MDAC) 2.1 * Microsoft Data Access Components (MDAC) 2.5 * Microsoft Data Access Components (MDAC) 2.6 * Microsoft Internet Explorer 5.01 * Microsoft Internet Explorer 5.5 * Microsoft Internet Explorer 6.0 Note: The vulnerability does not affect Windows XP, despite the fact that it uses Internet Explorer 6.0. Windows XP customers do not need to take any action. End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms02-065.asp Technical details Technical description: Microsoft Data Access Components (MDAC) is a collection of components used to provide database connectivity on Windows platforms. MDAC is a ubiquitous technology, and it is likely to be present on most Windows systems: * It is included by default as part of Windows XP, Windows 2000, and Windows Millennium. * It is available for download as a stand-alone technology in its own right * It is either included in or installed by a number of other products and technologies. For instance, MDAC is included in the Windows NT® 4.0 Option Pack, and some MDAC components are present as part of Internet Explorer even if MDAC itself is not installed. MDAC provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client. One of the MDAC components, known as Remote Data Services (RDS), provides functionality that support three-tiered architectures – that is, architectures in which a client’s requests for service from a back-end database are intermediated through a web site that applies business logic to them. A security vulnerability is present in the RDS implementation, specifically, in a function called the RDS Data Stub, whose purpose it is to parse incoming HTTP requests and generate RDS commands. A security vulnerability resulting from an unchecked buffer in the Data Stub affects versions of MDAC prior to version 2.7 (the version that shipped with Windows XP). By sending a specially malformed HTTP request to the Data Stub, an attacker could cause data of his or her choice to overrun onto the heap. Although heap overruns are typically more difficult to exploit than the more-common stack overrun, Microsoft has confirmed that in this case it would be possible to exploit the vulnerability to run code of the attacker’s choice on the user’s system. Both web servers and web clients are at risk from the vulnerability: * Web servers are at risk if a vulnerable version of MDAC is installed and running on the server. To exploit the vulnerability against such a web server, an attacker would need to establish a connection with the server and then send a specially malformed HTTP request to it, that would have the effect of overrunning the buffer with the attacker’s chosen data. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context) * Web clients are at risk in almost every case, as the RDS Data Stub is included with all current versions of Internet Explorer and there is no option to disable it. To exploit the vulnerability against a client, an attacker would need to host a web page that, when opened, would send an HTTP reply to the user's system and overrun the buffer with the attacker's chosen data. The web page could be hosted on a web site or sent directly to users as an HTML Mail. The code would run in the security context of the user. Clearly, this vulnerability is very serious, and Microsoft recommends that all customers whose systems could be affected by them take appropriate action immediately. * Customers using Windows XP, or who have installed MDAC 2.7 on their systems are at no risk and do not need to take any action. * Web server administrators who are running an affected version of MDAC should either install the patch, disable MDAC and/or RDS, or upgrade to MDAC 2.7, which is not affected by the vulnerability. * Web client users who are running an affected version of MDAC should install the patch immediately on any system that is used for web browsing. It is important to stress that the latter guidance applies to any system used for web browsing, regardless of any other protective measures that have already been taken. For instance, a web server on which RDS had been disabled would still need the patch if it was occasionally used as a web client. Before deploying the patch, customers should familiarize themselves with the caveats discussed in the FAQ and in the Caveats section below. Mitigating factors: Web Servers * Web servers that are using MDAC version 2.7 (the version that shipped with Windows XP) or later are not aat risk from the vulnerability. * Even if a vulnerable version of MDAC were installed, a web server would only be at risk if RDS were enabled. RDS is disabled by default on clean installations of Windows XP and Windows 2000, and can be disabled on other systems by following the guidance in the IIS Security Checklist. In addition, the IIS Lockdown Tool will automatically disable RDS when used in its default configuration. * If the URLScan tool were deployed with its default ruleset (which allows only ASCII data to be present in an HTTP request), it is likely that the vulnerability could only be used for denial of service attacks. * IIS can be configured to run with fewer than administrative privileges. If this has been done, it would likewise limit the privileges that an attacker could gain through the vulnerability. * IP address restrictions, if applied to the RDS virtual directory, could enable the administrator to restrict access to only trusted users. This is, however, not practical for most web server scenarios. Web clients * Web clients that are using MDAC version 2.7 (the version that shipped with Windows XP) or later are not at risk from the vulnerability. * The HTML mail-based attack vector could not be exploited automatically on systems where Outlook 98 or Outlook 2000 were used in conjunction with the Outlook Email Security Update, or Outlook Express 6 or Outlook 2002 were used in their default configurations. * Exploiting the vulnerability would convey to the attacker only the user’s privileges on the system. Users whose accounts are configured to have few privileges on the system would be at less risk than ones who operate with administrative privileges. Severity Rating: +++++++++++++++++++++++++++++++++++++ MDAC 2.1 Critical +++++++++++++++++++++++++++++++++++++ MDAC 2.5 Critical +++++++++++++++++++++++++++++++++++++ MDAC 2.6 Critical +++++++++++++++++++++++++++++++++++++ MDAC 2.7 Not affected +++++++++++++++++++++++++++++++++++++ Internet Explorer 5.01 Critical +++++++++++++++++++++++++++++++++++++ Internet Explorer 5.5 Critical +++++++++++++++++++++++++++++++++++++ Internet Explorer 6.0 Critical +++++++++++++++++++++++++++++++++++++ The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. This vulnerability is rated critical because an attacker could take over an IIS server or an Internet Explorer client and run code. Any IIS server with MDAC and all Internet Explorer clients should apply the patch immediately. Vulnerability identifier: CAN-2002-1142 Tested Versions: Microsoft tested MDAC 2.1, 2.5, 2.6 and 2.7 to assess whether they are affected by the server-side vulnerability. In addition, Microsoft also tested Internet Explorer 5.01, 5.5 and 6.0 to assess whether they are affected by the client-side vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Patch availability Download locations for this patch The following patch can be installed on all affected platforms: http://www.microsoft.com/downloads/Release.asp?ReleaseID=44733 Additional information about this patch Installation platforms: The patch can be installed on the following systems: * Windows 98 Gold. * Windows 98SE Gold * Windows Me Gold * Windows NT4 Service Pack 6a * Windows 2000 Service Pack 2 or Service Pack 3 Inclusion in future service packs: * The fix for this issue will be included in the next service pack for MDAC 2.5. There will be no more service packs for MDAC 2.1 and MDAC 2.6. * The fix will also be included in Internet Explorer 5.01 Service Pack 4 and Internet Explorer 6.0 Service Pack 2. Reboot needed: * Web servers: We recommend rebooting the server after installing the patch. * Web client: It is not necessary to reboot after installing the patch. Patch can be uninstalled: No. Superseded patches: None. Verifying patch installation: * Microsoft Knowledge Base article Q329414 provides a file manifest that can be used to verify the patch installation. Caveats: * As discussed in the FAQ, the patch does not set the Kill Bit on the affected ActiveX control. * If, after applying the patch, an MDAC service pack that predates the patch is installed, the effect is to remove the patch. Moreover, because the patch files would still be on the system, Windows Update would not be able to detect that the patch files were not in use, and would not offer to reinstall the patch. Instead, the user would need to reinstall the patch manually after installing the service pack. An example would be a users who have already patched their MDAC 2.5 machines. Then if they apply MDAC 2.5 Service Pack 2 over the already patched MDAC 2.5 machines, it's possible that there would be a regression, making it necessary for the users to reinstall this patch. Localization: Localized versions of this patch are available at the locations discussed in "Patch Availability". Obtaining other security patches: Patches for other security issues are available from the following locations: * Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". * Patches for consumer platforms are available from the WindowsUpdate web site Other information: Acknowledgments Microsoft thanks Foundstone Research Labs for reporting this issue to us and working with us to protect customers. Support: * Microsoft Knowledge Base article Q329414 discusses this issue. Knowledge Base articles can be found on the Microsoft Online Support web site. * Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: * V1.0 (November 20, 2002): Bulletin Created. [***** End Microsoft Security Bulletin MS02-065 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-007: Microsoft Outlook Express Unchecked Buffer in S/MIME Vulnerability N-008: Microsoft Elevation of Privilege in SQL Server Web Tasks N-009: MIT krb5 Buffer Overflow in kadmind4 CIACTech03-001: Spamming using the Windows Messenger Service N-010: Web-Based Enterprise Management on Solaris 8 Installs Insecure Files N-011: Cumulative Patch for Internet Information Service N-012: Windows 2000 Default Permissions Could Allow Trojan Horse Program N-013: ISC Remote Vulnerabilities in BIND4 and BIND8 N-014: Trojan Horse tcpdump and libpcap Distributions N-015: SGI IRIX lpd Daemon Vulnerabilities via sendmail and dns